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DETAILED ACTION 

1. This Office action is responsive to the following communication: Amendment filed on 13 
November 2008. 

2. Claims 1-21 and 24-28 are pending and present for examination. 

Response to Amendment 

3. Claims 1, 9, and 16 have been amended. 

4. No claims have been further cancelled. 

5. No claims have been newly added. 

Claim Rejections - 35 USC § 101 

6. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

7. As per the claim rejections under 35 U.S.C. 101, Applicant's amendment has been acknowledged. 
Accordingly the rejections have been withdrawn. 



Claim Rejections - 35 USC§ 103 

8. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art 
are such that the subject matter as a whole would have been obvious at the time the invention was made to a 
person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

9. Claims 1-3, 6, 8-11, 14, 16-18, 21, and 24-28 are rejected under 35 U.S.C. 103(a) as being 



unpatentable over Pisello et al (U.S. Patent No. 5,495,607, hereinafter referred to PISELLO), filed on 
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November 15, 1993, and issued on February 27, 1996, in view of Stupek, Jr. et al (U.S. Patent No. 
5,586,304, hereinafter referred to as STUPEK), filed on 8 September 1994, and issued on 17 December 
1996, and in further view of Miyata et al (USPGPUB No. 2004/0117401, hereinafter referred to as 
MIYATA), filed on 21 April 2003, and published on 17 June 2004. 

10. As per independent claim 1, 9 and 16, PISELLO, in combination with STUPEK and MIYATA, 
discloses: 

A computer implemented method for gleaning file attributes independently of file format, 
the method comprising the steps of: 

a non-application-specific file attribute manager receiving a plurality of files in a 

plurality of formats {See PISELLO, col. 13, lines 14-19, wherein this reads over "a domain-wide 
status-monitor . . . periodically scan[s]"}; 

the file attribute manager scanning the plurality of received files in the plurality of 
formats {See PISELLO, col. 13, lines 14-19, wherein this reads over "a domain-wide status-monitor 
. . . periodically scan[s]"}; 

the file attribute manager gleaning attributes from each of the plurality of scanned 
files in the plurality of formats {See PISELLO, col. 13, lines 48-51, wherein this reads over "to 
collect the file identifying information stored at a given scan time"; and col. 15, lines 36-51, wherein 
this reads over, searchable database fields preferably include: . . . FileName;PathName"}; 

the file attribute manager storing the file attributes gleaned from each of the plurality 
of scanned files as a plurality of records in a database {See pisello, col. 13, lines 51- 

56, wherein this reads over "to integrate the collected information into the domain-wide virtual 
catalog"}; 

the file attribute manager indexing specific file attributes gleaned from specific files 
according to contents of the specific files, the specific file attributes being stored 
as ones of the plurality of records in the database {See pisello, col. 14, lines 16-19, 

wherein this reads over "Table 2 which shows an example of what might be displayed . . . [from] the 
domain administrating data/rule base"}; 

examining one Of the plurality Of files {See PISELLO, col. 13, lines 14-19, wherein this reads over 
"a domain-wide status-monitor . . . periodically scanfs]"; and col. 13, lines 48-51, wherein this reads 
over "to collect the file identifying information stored at a given scan time"; and col. 15, lines 36-51, 
wherein this reads over, searchable database fields preferably include: . . . FileName; PathName"}; 

retrieving from the plurality of records in the database at least one record associated 
with the examined one of the plurality of files {See stupek, C3:L64-67, wherein this 

reads over "the upgrade advisor retrieves information about the MIB 5 from a server database 13 
located in the server manager"; and C4:L2-26, wherein this reads over "the upgrade database may 
also contain information about a resource (e.g., a driver) which is not recognized by the server 
manager. In this situation, the upgrade advisor places information about the resource (e.g., name, 
version number) into a driver table 32 in the MIB 5. An agent 21 of the server manager located in the 
server uses this information to search for the resource (i.e., to see if the resource has been installed 
on the network). If so, the server manager creates entries for the resource in the server database"}; 
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retrieving from the plurality of records in the database a second record associated 

With a malicious file {See MIYATA, [0032], wherein this reads over "reads on virus pattern from 
virus database 1621" and "checks whether or not F is infected wit ha virus corresponding to P"}j. 

analyzing the gleaned attributes gleaned from examined one of the plurality of files, 
the gleaned file attributes having been retrieved from the first record; {See 

STUPEK, C4:L5-13, wherein this reads over "the upgrade advisor 11 retrieves information about the 
MIB 5 from a server database 13 located in the server manager. The server database 13 tells the 
upgrade advisor 11 the location of each piece of information contained in the MIB. The upgrade 
advisor 11 supplies the location information to a data retriever 15, which uses it to retrieve from the 
MIB 5 data (MIB data) about the network resources 3. The upgrade advisor 11 then retrieves 
upgrade information from the upgrade database 9 and performs two types of comparisons: a) 
whether or not a particular upgrade package corresponds to a resource on the server, and b) 
whether or not the version number of the upgrade package matches the version number of the 
corresponding network resource (i.e, whether or not the upgrade package represents a true upgrade 
for the existing network resource)"}; and 

analyzing one or more attributes of the malicious file, the one or more attributes of 
the malicious file having been gleaned from the second record {See miyata, [0019], 

wherein this reads over "virus scanner 1532, which compares a suspected file with associated 
patterns contained in virus database 1621") ; and 

determining whether a status of the examined one of the plurality of files is malicious 

{See MIYATA, [0019], wherein this reads over "virus scanner 1532, which compares a suspected file 
with associated patterns contained in virus database 1621"}, responsive to analyzing the 
gleaned file attributes {See STUPEK, C13-20, wherein this reads over "If the upgrade applies to 
a resource on the server and if the upgraded and current versions of the network resource do not 
match, the upgrade advisor 11 uses additional information from the upgrade database 9 to analyze 
the level of severity of the upgrade, i.e., to determine the importance of the upgrade to the efficient 
operation of the server."} and the one or more attributes of the malicious file {See 
MIYATA, [0019], wherein this reads over "virus scanner 1532, which compares a suspected file with 
associated patterns contained in virus database 1621"}. 

While PISELLO fails to expressly disclose the method step of analyzing gleaned attributes and 
thereafter determining a status, the prior art of STUPEK discloses a method wherein information is 
retrieved from a database, and said information is summarily compared with upgrade information to 
determine whether an upgrade is necessary. That is the prior art of STUPEK discloses a method wherein 
file attributes such as the name, version number, and a timestamp, which have been gleaned from a file, 
are compared and verified. The combination of inventions disclosed in PISELLO and STUPEK would 
disclose a method comprising of examining a file, analyzing the gleaned attributes concerning the file 
with records retrieved from the database (e.g. upgrade information), and determining the status of the 
file (i.e. whether or not the versions match). Therefore, it would have been obvious to one of ordinary 
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skill in the art at the time the invention was made to modify the above invention suggested by PISELLO 
by combining it with the invention disclosed by STUPEK. 

One of ordinary skill in the art would have been motivated to do this modification so malicious or 
illegitimate files are blocked from entering the computer, from executing, and from performing certain 
functions while executing. 

Additionally, while the combination of PISELLO and STUPEK may fail to expressly disclose the 
method step of determining whether a file is malicious, the prior art of MIYATA discloses an invention 
wherein a virus pattern is retrieved from a virus database and used to determine by comparison whether 
a file is malicious. The combination of invention disclosed in PISELL, STUPEK, and MIYATA would 
disclose a method wherein the data pattern (i.e. the attribute) is gleaned from the files such that the 
virus pattern is used to verify whether the file is malicious or not. Therefore, it would have been obvious 
to one of ordinary skill in the art at the time the invention was made to modify the above invention 
suggested by the combination of PISELLO and STUPEK by combining it with the invention as disclosed by 
MIYATA. 

One of ordinary skill in the art would have been motivated to do this modification so that gleaned 
attributes may be used to verify the authenticity of a file. 

11. As per dependent claims 2, 10, and 17, PISELLO, in combination with STUPEK and MIYATA, 
discloses: 

A method wherein specific types of file attributes are gleaned from a specific file 
as a function of a protocol according to which the file is transmitted {See pisello, Table 2, 

wherein this includes the file-server name under the column labeled "File_Source" and the sender name under 
the column labeled "By"}. 

12. As per dependent claim 3, 11, 18, PISELLO, in combination with STUPEK and MIYATA, 
discloses: 

A method wherein specific types of file attributes are gleaned from a specific file 

as a function Of a format Of the file {See PISELLO, col. 15, lines 46-51, wherein this reads over 
"Novell-defined attributes"}. 
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13. As per dependent claims 6, 14, 21, PISELLO, in combination with STUPEK and 
MIYATA, discloses: 

A method further comprising the file attribute manager receiving a plurality of 
copies of a selected file of the plurality of files, and the file attribute manager storing 
each of the plurality of copies as a separate record in the plurality of records, each 
separate record indexed according to the contents of the selected file of the plurality of 
files, such that the each separate record can be accessed by the single index {See pisello, 

Table 2; and col. 14, lines 62-64, wherein this reads over "the same file name may appear multiple times in the 
listing of Table 2, even with identical path names (e.g., 'Dave. doc')"}. 

14. As per dependent claim 8, PISELLO, in combination with STUPEK and MIYATA, discloses: 

The method wherein the non-application-specific file attribute manager is 
incorporated into one selected from the group consisting of: 

A firewall; 

An intrusion detection system; 

An intrusion detection system application proxy; 

A router; 

A switch; 

A standalone proxy; 

A server; {See PISELLO, col. 13, lines 14-15, wherein this reads over "domain-wide status-monitor 
and control program is installed in the domain administrating server"}. 
A gateway 

An anti-virus detection system; and 
A client. 

Additionally, the claim limitation optionally recites a method wherein the attribute 
manager is incorporated into an selected entity, for the purposes of this examination, a server 
will be considered the selected entity and the remainder entities will not be provided further 
consideration nor will prior art be applied in said consideration. 

15. As per dependent claim 24, PISELLO, in combination with STUPEK and MIYATA, discloses a 
method of blocking a file upon the determination that the received file is malicious {See stupek, C8:L30-48}. 

While PISELLO fails to expressly disclose a method wherein a file is blocked upon a maliciousness 
determination, STUPEK discloses a method wherein if an upgrade is not applicative, the upgrade is not 
included within the upgrade package. The combination of inventions disclosed in PISELLO and STUPEK 
would disclose a method comprising of blocking the file upon the determination that the received file is 
malicious (i.e. the package object retrieves comparison results and combined them to determine package 
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status (i.e., whether or not the package applies to the server, and whether the package needs to be 
upgraded on the server). Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the above invention suggested by PISELLO by combining it with 
the invention disclosed by STUPEK and MIYATA. 

One of ordinary skill in the art would have been motivated to do this modification such that files 
which are not legitimate are blocked from entering the server, from executing, and from performing 
certain functions while executing. 

16. As per dependent claim 25, PISELLO, in combination with STUPEK and MIYATA, discloses a 
method of not blocking the file upon the determination that the received file is legitimate {See stupek, 

C8:L30-48}. 

While PISELLO fails to expressly disclose a method wherein a file is blocked upon a maliciousness 
determination, STUPEK discloses a method wherein if an upgrade is applicative, the upgrade is included 
within the upgrade package. The combination of inventions disclosed in PISELLO and STUPEK would 
disclose a method comprising of allowing the file upon the determination that the received file is 
legitimate (i.e. the package object retrieves comparison results and combined them to determine package 
status (i.e., whether or not the package applies to the server, and whether the package needs to be 
upgraded on the server). Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the above invention suggested by PISELLO by combining it with 
the invention disclosed by STUPEK and MIYATA. 

One of ordinary skill in the art would have been motivated to do this modification such that files 
which are not legitimate are allowed to enter the server, execute, and perform certain functions while 
executing. 

17. As per dependent claim 26, PISELLO, in combination with STUPEK and MIYATA, discloses a 
method for applying a rule specifying how to use gleaned file attributes to process the file {See stupek, 

C13-20, wherein this reads over "If the upgrade applies to a resource on the server and if the upgraded and current versions of the 
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network resource do not match, the upgrade advisor 11 uses additional information from the upgrade database 9 to analyze the 
level of severity of the upgrade, i.e., to determine the importance of the upgrade to the efficient operation of the server."}. 

The combination of inventions disclosed in PISELLO and STUPEK would disclose a method 
comprising for applying a rule specifying how to use gleaned file attributes to process a file. Therefore, it 
would have been obvious to one of ordinary skill in the art at the time the invention was made to modify 
the above invention suggested by PISELLO by combining it with the invention disclosed by STUPEK and 
MIYATA. 

One of ordinary skill in the art would have been motivated to do this modification in order to 
determine the legitimacy of a file by analyzing and processing the gleaned attributes according to a set 
rule. 

18. As per dependent claim 27, PISELLO, in combination with STUPEK and MIYATA, discloses a 
method for determining a rule to apply specifying how to use gleaned file attributes to process the file 
{See STUPEK, C13-20, wherein this reads over "If the upgrade applies to a resource on the server and if the upgraded and current 
versions of the network resource do not match, the upgrade advisor 11 uses additional information from the upgrade database 9 to 
analyze the level of severity of the upgrade, i.e., to determine the importance of the upgrade to the efficient operation of the 
server."}. 

While PISELLO fails to expressly disclose a method for determining a rule to apply specifying how 
to use gleaned file attributes to process the file, the prior art of STUPEK discloses a method wherein the 
upgrade manager performs comparisons on the attributes of the file, specifically the version number. The 
combination of inventions disclosed in PISELLO and STUPEK would disclose a method comprising of 
determining at least one of a plurality of rules to apply to a file. Therefore, it would have been obvious 
to one of ordinary skill in the art at the time the invention was made to modify the above invention 
suggested by PISELLO by combining it with the invention disclosed by STUPEK and MIYATA. 

One of ordinary skill in the art would have been motivated to do this modification so that 
upon the failure or passage of a file in a rule, further gleaned attributes may be checked to 
determine the legitimacy of a file. 
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19. As per dependent claim 8, PISELLO, in combination with STUPEK and MIYATA, discloses: 
The method of claim 1, wherein the plurality of files are received from a network 

Connection {See STUPEK, Figures 1, 2, 6, and 11}. 

20. Claims 4, 12, and 19 are rejected under 35 U.S.C. 103(a) as being unpatentable over PISELLO, 
in view of STUPEK and MIYATA, and in further view of Fischer (U.S. Patent No. 5,694, 569, hereinafter 
referred to as FISCHER), filed on June 5, 1995, and issued on December 2, 1997. 

PISELLO, STUPEK, and MIYATA disclose the limitations of claims 1-3, 6, 8-11, 14, 16-18, and 21 
for the reasons stated above. 

PISELLO, STUPEK, and MIYATA differ from the claimed invention in that they fail to disclose a 
method further comprising the file attribute manager indexing attributes being stored by using a secure 
hash of the contents of that file (claims 4, 12, and 19). 

21. As per dependent claim 4, 12, and 19, PISELLO, in combination with STUPEK, MIYATA, and 
FISCHER, discloses a method further comprising the file attribute manager indexing attributes being 
stored as a record in the database concerning a specific file according to a secure hash of the contents of 

that file {See FISCHER, col. 1, lines 40-50, wherein this reads over "file integrity may be protected by taking a one-way hash over 
the contents of the file. By implementing and checking a currently computed hash value, with a previously stored hash value"}. 

The combination of inventions disclosed in PISELLO, STUPEK, and FISCHER would disclose a 
method wherein the file attribute manager would index attributes in a database according to a secure 
hash, by using a secure hash algorithm (SHA), of the contents of that file. Therefore, it would have been 
obvious to one of ordinary skill in the art at the time the invention was made to modify the above 
invention suggested by PISELLO by combining it with the invention disclosed by STUPEK, MIYATA, and 
FISCHER. 

One of ordinary skill in the art would have been motivated to do this modification so that the 
records may be indexed securely and subsequently retrieved by a blocking system. 

22. Claims 5, 13, and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over PISELLO, 
in view STUPEK and MIYATA, and in further view of Baker (USPGPUB No. 2003/0233352, hereinafter 
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referred to as BAKER), filed on March 19, 2003, claiming priority to March 21, 2002, and published on 
December 18, 2003. 

PISELLO, STUPEK, and MIYATA disclose the limitations of claims 1-3, 6, 8-11, 14, 16-18, and 21 
for the reasons stated above. 

PISELLO, STUPEK, and MIYATA differ from the claimed invention in that they fail to 
disclose a method further comprising the file attribute manager indexing attributes according to a 
cyclical redundancy check of the contents of that file (claims 5, 13, and 20). 

23. As per dependent claims 5, 13, and 20, PISELLO, in combination with STUPEK, MIYATA, and 
BAKER, discloses a method further comprising the file attribute manager indexing attributes being stored 
as a record in the database concerning a specific file according to a cyclical redundancy check of the 

contents of that file {See BAKER, Para. 0008, wherein this reads over "[t]he controller may be further programmed ... to 
determine a cyclical redundancy check of the file"}. 

While PISELLO fails to expressly disclose a method of utilizing a CRC on the contents of a file, 
BAKER discloses a means for applying a CRC on the file for validation purposes. The combination of 
inventions disclosed in PISELLO, STUPEK, MIYATA, and BAKER would disclose a method wherein the file 
attribute manager would index attributes in a database according to a cyclical redundancy check of the 
contents of that file. Therefore, it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to modify the above invention suggested by PISELLO by combining it with the 
invention disclosed by STUPEK, MIYATA, and BAKER. 

One of ordinary skill in the art would have been motivated to do this modification so that the 
records may be indexed securely and subsequently retrieved by a blocking system. 

24. Claims 7, 15, and 22 are rejected under 35 U.S.C. 103(a) as being unpatentable over PISELLO, 
in view of STUPEK and MIYATA, and in further view of Chino et al (USPGPUB 2002/0046207), filed on 
June 25, 2001, and published on April 18, 2002. 

PISELLO, STUPEK, and MIYATA disclose the limitations of claims 1-3, 6, 8-11, 14, 16-18, and 21 
for the reasons stated above. 
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PISELLO, STUPEK, and MIYATA differ from the claimed invention in that they fail to disclose a 
method which deletes records from the database after the records have been stored for a specific period 
of time (claims 7, 15, and 22). 

25. As per dependent claims 7, 15, and 22, PISELLO, in combination with STUPEK, MIYATA, and 
CHINO, discloses a method further comprising of deleting records from the database after the records 
have been Stored for a specific period Of time {See CHINO, Para. 0060, wherein this reads over "location information 
collector determines whether a predetermined time , e.g. two hours, has passed wince the record of the current location registered 
in the respective tables of the location information storage was collected, and sequentially deletes those records with a 
predetermined time elapsed"}. 

While PISELLO fails to expressly disclose a method of purging files, CHINO discloses a method of 
purging records when a predetermined time has elapsed. The combination of inventions disclosed in 
PISELLO, STUPEK, MIYATA, and CHINO would disclose a method comprising of deleting records with a 
predetermined time elapsed. Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to modify the above invention suggested by PISELLO by combining it 
with the invention disclosed by STUPEK, MIYATA, and CHINO. 

One of ordinary skill in the art would have been motivated to do this modification so that 
the database is kept current and free of obsolete records. 

Response to Arguments 

26. Applicant's arguments with respect to claim rejections under 35 U.S.C. 103 have been considered 
but are moot in view of the new ground(s) of rejection. 

Conclusion 

27. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office 
action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of 
the extension of time policy as set forth in 37 CFR 1.136(a). 
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A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date 
of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on the date the advisory 
action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing 
date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the date of this final action. 

28. Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to PAUL KIM whose telephone number is (571)272-2737. The examiner can normally be 
reached on M-F, 9am - 5pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Tony Mahmoudi can be reached on (571) 272-4078. The fax phone number for the organization where 
this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 
866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or 
access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Tony Mahmoudi/ Paul Kim 

Supervisory Patent Examiner, Art Unit 2169 Examiner, Art Unit 2169 

TECH Center 2100 

/pk/ 



